DeepQueue – Store and Forward

DeepQueue – Store and Forward
By T.Rob Wyatt
About this podcast
Discussion and news about WebSphere MQ security.
Latest episodes
Nov. 27, 2009
This episode of The Deep Queue celebrates the first birthday of the podcast with some discussion of the SSL protocol vulnerability that was recently discovered.  Although there has been no announcement with regard to WebSphere MQ, I try to put … Continue reading →
Aug. 28, 2009
After a month unplanned hiatus, The Deep Queue is back.  This month we are talking about high availability, which is obviously something The Deep Queue lacks.  This may not seem like a security topic at first glance but to my way of thinking it is.  There is no perfect security so, no matter how much you invest in protection, it’s a good idea to assume there will be a breach at some point.  When that happens you need to detect it and recover from it.  For that reason, whenever I perform a security assessment, monitoring and recovery are considered.   The first segment talks about planning for recovery from an adverse security event. The second segment is all about the new v7.0.1 of WebSphere MQ!  Yes, the long awaited refresh pack is released and you can download it now.  In addition, the product manuals are all updated with the new features.  The v7.0 release was massive and it seems hard to believe it would be followed so quickly by another release with this much functionality but the folks in Hursley apparently don’t sleep.  There’s lots of detail in the podcast and at the links below. Links for this episode: IBM WebSphere MQ V7.0 is enhanced with increased availability, security, and governance IBM United States Software Announcement 209-245 August 25, 2009 http://bit.ly/1anQmy IBM WebSphere MQ for z/OS V7.0.1 delivers storage and memory improvements and increased availability for queue-sharing groups IBM United States Software Announcement 209-248 August 25, 2009 http://bit.ly/3bv4pv developerWorks: Mission:Messaging: Planning for SSL on the WebSphere MQ network http://bit.ly/3loir
July 4, 2009
The June 29 episode of The Deep Queue is finally up!  Sorry about the delay, I was on an engagement last week that had me staying over the weekend in Boston to perform a production implementation on Saturday.  Although I’ve got a great recording setup at home, I’m afraid I don’t have decent equipment to do the podcast on the road.  Instead, I flew my wife up to Boston and we spent Sunday at the aquarium and then went to see Blue Man Group. The week delay worked out great though, because last week a friend contacted me to tell me his shop needs to remediate for PCI compliance.  He has a hundred days to create a segmented MQ network within which to isolate his PCI applications.  The time limit is due to having found out about the problems in the course of an audit rather than through independent research or assessment.  Since this is likely to be a growing problem, it turned out to be my topic for this month’s episode. The reason I think this will be a growing problem is that I am among the folks talking with the assessment community about WMQ security, the implementation gaps that are commonly seen and methods for assessment and remediation that are currently available.   Hopefully, the participation of the assessment community will result in refining these existing tools and creating best practices for securing MQ in a regulatory compliance context such as PCI. I’m also excited to be working with some old friends at Evans Resource Group.  ERG is building a business around helping assessors get up to speed with WebSphere MQ.  They are creating a curriculum and tools and are already working with some of their first clients in this space.  Many of the folks at ERG are Reconda alums who I worked with to develop AppWatch so I’m confident they will do a great job.  I’ll be working with them next week to help them develop and fine-tune their content and get the reactions of those initial clients. Lots more about all this in the podcast so please download it or the transcript and let me know your thoughts. Also, don’t forget to sign up for the webinar I’m giving July 10th at noon Eastern, entitled What You Don’t Know About Middleware Vulnerabilities Will Hurt You.  The webinar is structured for assessors and  QSAs and includes my 5-Minute WebSphere MQ Assessment. Links from the podcast: PCIKnowledgebase.com: http://PCIKnowledgebase.com Webinar: What You Don’t Know About Middleware Vulnerabilities Will Hurt You https://www2.gotomeeting.com/register/848961386 Evans Resource Group home page: http://www.evansresourcegroup.com Evans Resource group free MQ security check: http://www.evansresourcegroup.com/technologies-6b.html Prolifics home page: http://www.prolifics.com Prolifics free MQ Health and Security Check: http://www.prolifics.com/Collateral/Documents/English-US/service-brochures/Prolifics_WebSphereMQ_HealthSecurityCheck.pdf Capitalware homepage: http://www.capitalware.biz Capitalware consulting services: http://www.capitalware.biz/services.html Primeur homepage: http://www.primeur.com Primeur Data Secure for WebSphere MQ: http://www.primeur.com/products/data_security/spazio_data_secure.html#dswmq
May 25, 2009
The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast.  The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy.  If you are not familiar with it, 160,000 Social Security numbers and medical information were stolen in the UC Berkeley data breach.  This notion that breaches of the “trusted” internal network are so common that’s possible to discuss with a straight face whether a breach of this magnitude is newsworthy is itself worthy of some discussion. In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”.  The term was coined in the medical professions to refer to preventable events with serious or deadly consequences.  The kind of events that should never happen such as operating on the wrong body part or wrong person.  the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation.  Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry.  In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events. Links for this episode: University of California Berkeley Data Breach http://datatheft.berkeley.edu/news.shtml Security Squad, SearchSecurity.com podcast for May 15, 2009 http://itknowledgeexchange.techtarget.com/security-wire-weekly/squad-data-breach-burn-out/ PrivacyRights.org Chronology of Data Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP BankInfoSecurity.com – List of banks reported to have been affected by the Heartland breach tops 600 http://www.bankinfosecurity.com/articles.php?art_id=1200 National Quality Forum – Serious Reportable Events (a.k.a. “Never Events”) http://www.qualityforum.org/projects/completed/sre/fact-sheet.asp CERT Security podcast series for May 5, 2009 http://www.cert.org/podcast/ WebSphere MQ Security Heats Up – Blog post with downloadable setmqaut scripts to secure administrative access to WebSphere MQ. http://t-rob.net/2008/07/08/websphere-mq-security-heats-up/
May 3, 2009
No, that’s not mortgage risk.  Someone’s already done that and look where it got us.  No,I’m talking about mortgaged risk – the act of saving time or money by accepting risk that is hard to measure but easy to hide or ignore.  The risk is essentially a mortgage on your future.  A hidden cost that will be paid eventually. In this episode of The Deep Queue I consider just how much risk has been stuffed into the closet over the years.  There’s a lot of unsecured MQ out there, after all.  Up to now I’ve focused on what it means to the companies who are exposed.  But this month I propose that this massive amount of deferred investment represents a great opportunity for companies positioned to perform assessments, implement remediations, or provide tools. On the lighter side, listener email this month included a funny cartoon which I hope you enjoy.
April 3, 2009
This episode of The Deep Queue takes its inspiration from the thousandth time I was asked how to “turn on MQ security”.  Yes, that’s right, the thousandth time.  At least since I’ve been counting.  There were perhaps half a thousand instances before I started keeping track.  Unlike being the millionth customer at the local hair salon, you don’t want to be the thousandth person to ask me how to “turn on MQ security”. “What do you mean ‘turn on’ security?” I asked.  “What is it exactly you want security to do for you?” “Well, you know…SECURE THE QUEUE MANAGER!” came the annoyed reply. “What I mean is, are you trying to protect from eavesdropping, denial of service, message injection or what?  And do you want prevention, detection or forensic capabilities?” Since nobody there had thought about it in these terms, the answer back was “I don’t know, we will get back to you.”  My dilemma is that if I have a ready-made answer for “how to turn on MQ security” it is likely not to address the real requirements…but at least I get work.  If I try to drive out the real requirements, I put myself on the bench. [display_podcast] Links for this episode: WMQ Security webinar for QSA’s, internal auditors, security professionals and anyone interested in knowing how to tell if your WebSphere MQ network leaks administrative access: PCIKnowledgebase.com http://is.gd/qqOX The Black Swan by Nassim Nicholas Taleb:  http://is.gd/qqXX
Feb. 28, 2009
This episode of The Deep Queue contains news about the new MSoT stand-alone WMQ Explorer SupportPac, yet another payment processor data breach, updates to some items we’ve covered in the past and breaking news about a WebSphere MQ interim fix … Continue reading →
Feb. 2, 2009
This installment of The Deep Queue is about improving security by reducing the number of attack vectors that are exposed.  Given two systems with equivalent functionality the one with more exposed attack vectors is said to have a “larger attack surface”.  As I explain in the podcast, having a smaller attack surface doesn’t automatically result in a more secure system, but it sure helps.  There’s a possibility that having a smaller attack surface makes you more likely to be the victim of a hit-and-run driver but you’ll have to listen to the podcast to understand why. This episode also contains an installment of Random MQ Stuff.  Links are below. Subscribe:  Links for this episode: Minimize attack surface area (OWASP) – http://www.owasp.org/index.php/Minimize_attack_surface_area WebSphere MQ Fix Pack 7.0.0.1 – http://is.gd/i1Da APAR’s in 7.0.0.1 cited in this podcast: IC56408, IC58577, IC58797, IZ17158, IZ18954, IZ27491, IZ27588, IZ28844 SupportPac MS03 – http://is.gd/i1Da IBM Consumability Surveys Managing WebSphere Products – http://is.gd/i1Da WebSphere MQ API Exerciser Survey – http://is.gd/i1GL
Jan. 1, 2009
In this episode of The Deep Queue I explain why I believe the “trusted internal network” is a myth.  Many of the problems that I see on consulting assignments would have been prevented by the same security measures I recommend to protect against malicious attacks.  Except the incidents in question are not usually malicious, they are just human error.  In most of these cases the fact that there are no secondary firewalls around Production assets, no defense in depth and no checks and balances allows a simple mistake to blossom into a full-scale incident with serious financial, and often reputational, damage. But if companies don’t want to implement security to protect against honest mistakes, perhaps they will if there is a credible outsider threat.  In this episode I argue that such a threat is real and to back that up I cite six US DOJ press releases from just the last two months describing malicious corporate network intrusions.  The press releases also give us some insight into the state of tools available for cybercriminals and the degree to which the tools have been weaponized. Links for this episode: SAN JOSE WOMAN CHARGED WITH FRAUD IN CONNECTION WITH A PROTECTED COMPUTER http://www.usdoj.gov/criminal/cybercrime/leotiotaIndict.pdf FORMER IT MANAGER SENTENCED TO PRISON FOR HACKING INTO PREVIOUS EMPLOYER’S COMPUTER SYSTEM AND CAUSING DAMAGE http://www.usdoj.gov/criminal/cybercrime/barnesSent.pdf JUVENILE COMPUTER HACKER PLEADS GUILTY http://www.usdoj.gov/criminal/cybercrime/dshockerPlea.pdf Multi-Million Dollar Home Equity Line of Credit, Identity Theft and Computer Intrusion Ring Busted http://www.usdoj.gov/criminal/cybercrime/polkCharge.pdf HACKER CHARGED WITH PROVIDING DATA THEFT TOOL IN NATIONAL IDENTITY THEFT CASE http://www.usdoj.gov/criminal/cybercrime/wattCharge.pdf FORMER MASSACHUSETTS INMATE ARRESTED FOR HACKING PRISON COMPUTER TO ACCESS PRISON MANAGEMENT PROGRAM http://www.usdoj.gov/criminal/cybercrime/janoskoIndict.pdf Boffins bust web authentication with game consoles http://www.theregister.co.uk/2008/12/30/ssl_spoofing/
Dec. 2, 2008
The Deep Queue Episode #5 is now online.  In this episode we cover some WMQ security news and introduce a new segment called Random WMQ Stuff which is pretty much what it sounds like.  We also now have an iTunes … Continue reading →